Constructing Pairing-friendly Elliptic Curves with Small ρ ∗

Mingqiang Wang and Cai JieSchool of Mathematics

Shandong University, 250100 Jinan Shandong

Abstract— In this paper, we provide a method of constructingpairing-friendly elliptic curves on which the optimal pairingcan be defined and the resulting curves have small ρ valueapproximate to 1. Our algorithm is explicit and works forarbitrary embedding degree k and large prime subgroup orderr.

Index Terms— Pairing-friendly; Optimal pairing; Cyclotomicpolynomial; Pairing lattice

I. INTRODUCTION

Pairing based cryptography is a major area of researchin public key cryptography. There has been a huge interestin developing fast algorithms to compute bilinear pairing. Abilinear pairing is a map of form

e : G1 ×G2 −→ GT

where G1, G2 and GT are cyclic groups of prime order r.So far as we known, all the fast algorithms of computing

Weil and Tate pairings are based on Miller’s algorithm [13]on (hyper)elliptic curves. One line of research focuses onshortening the loop in Millers algorithm, which was initiatedby Duursma-Lee [3] and extended by Barreto et al. [2] tosupersingular abelian varieties. The ate pairing introduced in[7] for elliptic curves and in [5] for hyperelliptic curves gen-eralize these pairings to all ordinary curves. Recently, variantsof the ate pairing were introduced thereby reducing the looplength in Miller’s algorithm, such as the optimized ate pairing[12], and finally the R-ate pairing [10]. All variants of theate pairing have a Miller loop of length at least log2 r

ϕ(k) , withthe embedding degree k. Vercauteren [15] introduced thenotion of optimal pairings, which by definition attains thislower bound and conjectured that any non-degenerate pairingon an elliptic curve without extra efficiently computableendomorphisms different from Frobenius requires at leastlog2 rϕ(k) basic Miller operations. Hess [6] proved this conjecture

and thereby justifying the term “optimal pairing” in [15].All of the proposed pairings take as input points on a

subgroup of prime-order r of an elliptic curve E definedover a finite field Fq and give as output an element of anextension field Fqk . For the system to be secure, the discrete

∗This work is partially supported by national 973(GrantNo.2007CB807902); and Nature Science of Shandong Province (Grant NoY2008G23); Doctoral Fund of Ministry of Education of China (Grant No20090131120012); and IIFSDU(Grant No 2010ST075).

logarithm problems in the group E(Fq) of Fq-rational pointson E and in the multiplicative group F∗

qk must both becomputationally infeasible. Since there exist subexponential-time discrete log algorithms in the multiplicative group F∗

qk

but only exponential-time discrete log algorithms in ellipticcurve. Thus to achieve the same level of security in bothgroups, the size qk of the extension field must be significantlylarger than r. The ratio of these sizes is measured by twoparameters: the embedding degree, which is the degree k ofthe extension field required by the pairing; and the parameterρ = log q/ log r, which measures the field size relative to thesize of the prime-order subgroup on the curve. In generalchoosing minimal ρ for the same security levels will optimizethe performance of pairing based cryptographic schemes.One calls an elliptic curve with a small embedding degreeand a large prime-order subgroup pairing-friendly which isintroduced by Freeman, Scott and Teske [4] and defined asfollows.

Definition 1: Suppose E is an elliptic curve defined overa finite field Fq. We say that E is pairing-friendly if thefollowing two conditions hold:

1) there is a prime r ≥ √q dividing ]E(Fq), and2) the embedding degree of E with respect to r is less

than log2(r)/8.

In this paper, a pairing-friendly elliptic curve is called apairing-friendly elliptic curve with optimal pairing if thereexists an optimal pairing defined on such elliptic curve. Bythe Hess’s result in [6], we notice that pairing-friendly curveswith optimal pairing are quite scarce.

In this paper, we provide a method for constructing pairingfriendly curves and the resulting elliptic curves of the methodnot only have optimal paring defined on them but also have asmall ρ-value approximate to 1. Many new optimal pairingsare constructed by using cyclotomic polynomial.

This paper is organized as follows: Section 2 recalls thenecessary background knowledge, including all variants ofthe ate pairing, pairing lattice and Miller algorithm. Section3 provides a method for constructing pairing-friendly curveswith optimal pairing and defines some new optimal pairings.Finally, Section 4, concludes the paper.

2011 International Conference on Internet Computing and Information Services

978-0-7695-4539-4/11 $26.00 © 2011 IEEE

DOI 10.1109/ICICIS.2011.56

195

II. PRELIMINARIES

A. Bilinear pairingIn this paper, we will only consider the ordinary elliptic

curve, and the method can be generalized to supersingularelliptic curve or hyperelliptic curve. Let us recall the defini-tions of standard notation and pairing on elliptic curve.

Let Fq be a finite field with q elements and E be a non-singular elliptic curve over Fq. Let r be a positive divisorof ]E(Fq) and k > 1 be the embedding degree i.e. k isthe smallest integer such that r | qk − 1. Then E(Fqk)[r] ∼=Z/rZ × Z/rZ and there exists a basis P,Q of E(Fqk)[r]satisfying π(P ) = P and π(Q) = qQ, where π is the q-power Frobenius endomorphism on E. The subgroup of r-throots of unity of Fqk is denoted by µr, i.e. µr = {z ∈ F∗

qk :zr = 1}. We define G1 =< P > and G2 =< Q >. Notethat G1

⋂G2 = {O}.

For s ∈ Z and R ∈ E(Fqk), let fs,R ∈ Fqk(E) be theuniquely determined monic function with divisor (fs,R) =((sR) − (O)) − s((R) − (O)), where (R) is the divisorcorresponding to the point R. The reduced Tate pairing is

t : G2 ×G1 → µr, (Q,P ) 7→ fr,Q(P )qk−1/r.

It is in fact defined on all E(Fqk)[r]×E(Fqk)[r] and is alwaysnon-degenerate.

B. Pairing latticeLet s be an integer, for h =

∑di=0 hix

i ∈ Z[x] with h(s) ≡0 mod r, define ||h||1 =

∑di=0 |hi|, and let fs,h,R ∈ Fqk(E)

for R ∈ E(Fqk)[r] be the uniquely defined monic polynomialsatisfying

(fs,h,R) =d∑

i=0

hi((siR)− (O)).

Fact 1 [6] Assume that s is a primitive k-th root of unitymodulo r2. Let h ∈ Z[x] with h(s) ≡ 0 mod r. Then

as,h : G2 ×G1 → µr, (Q,P ) 7→ fs,h,Q(P )(qk−1)/r

is a bilinear pairing that is non-degenerate if and only ifh(s) 6= 0 mod r2. The relation with the Tate pairing isas,h(Q, P ) = t(Q,P )h(s)/r.

There exists an efficiently computable h ∈ Z[x] withh(s) ≡ 0 mod r, deg(h) ≤ ϕ(k)−1 and ||h||1 = O(r1/ϕ(k))such that as,h is non-degenerate. The O-constant dependsonly on k.

Any h ∈ Z[x] with h(s) ≡ 0 mod r such that as,h is anon-degenerate bilinear pairing satisfies ||h||1 ≥ r1/ϕ(k).

C. Miller algorithmTo compute the function fs,P for s > 0, one can use

Miller’s algorithm [13], which is a double-and-add approachbased on the following observation

fm+n,P = fm,P fn,PlmP,nP

v(m+n)P,

where lmP,nP is the equation of the line through mP andnP (or the tangent line when mP = nP ) and v(m+n)P theequation of the vertical line through (m + n)P.

Algorithm 1 Miller’s algorithm for elliptic curvesInput: s ∈ N and P, Q ∈ E[r] with P 6= QOutput: fs,P (Q)

Write s =PL

j=0 sj2j , with sj ∈ {0, 1} and sL = 1.

T ← P, f ← 1.for j = L− 1 down to 0 do

f ← c2lT,T (Q)/v2T (Q)T ← 2Tif sj = 1 then

f ← flT,P (Q)/vT+P (Q)T = T + P

end ifend forReturn f

For s < 0 it suffices to remark that (fs,P ) = −(f−s,P )−(vsP ). One execution of the main loop in algorithm 1 willbe called a basic Miller iteration, during which one doublingand at most one addition is computed.

D. Optimal pairing

At first, we recall the definition of optimal pairing in [15].Definition 2: Let e : G1×G2 → GT be a non-degenerate,

bilinear pairing with |G1| = |G2| = |GT | = r, wherethe field of definition of GT is Fqk . e(·, ·) is called anoptimal pairing if it can be evaluated with about at most(log2 r)/ϕ(k) + ε(k) Miller iterations, where ε(k) is lessthan log2 k.

The following thorem gives a simple criterion for deter-mining whether a pairing as,h is an optimal pairing.

Theorem 1: [14] Assume that s is a primitive k-th root ofunity modulo r2. Let h(x) =

∑ϕ(k)−1i=0 hix

i be a polynomialin Z[x] of degree less than ϕ(k) − 1 with h(s) ≡ 0 mod rand h(s) 6= 0 mod r2 and let ω(h) be the Hamming weightof (h0, · · · , hϕ(k)−1). If∏

0≤i≤ϕ(k)−1hi 6=0

|hi| ≤ 2−ω(h)kr1/ϕ(k),

then as,h is an optimal pairing.

III. CONSTRUCTING PAIRING-FRIENDLY ELLIPTICCURVES WITH OPTIMAL PAIRING

A. Construction method

In this subsection, we introduce an explicit algorithms toconstruct elliptic curve with optimal pairing. Constructions ofpairing-friendly curves make substantial use of the theory ofcyclotomic polynomials. We recall a few basic facts here; fora deeper discussion, see Lidl and Niederreiters book [11]. Forevery positive integer k, we let ζk denote a primitive k-th rootof unity in Q, i.e., an algebraic number such that ζk

k = 1 andζlk 6= 1 for any positive l < k. The minimal polynomial of ζk

196

is known as the k-th cyclotomic polynomial and is denotedby Φk(x). These polynomials have integer coefficients andcan be defined recursively by setting Φ1(x) = x − 1 andusing the formula

xk − 1 =∏d|k

Φd(x)

for k > 1. The degree of Φk(x) is ϕ(k). The followingwell-known observation[4] is crucial for the construction ofprime-order curves with embedding degree k.

Lemma 1: Let k be a positive integer, E/Fq an ellipticcurve with ]E(Fq) = hr where r is prime, and let t be thetrace of E/Fq. Assume that r - k. Then E/Fq has embeddingdegree k with respect to r if and only if Φk(q) ≡ 0(modr),or, equivalently, if and only if Φk(t− 1) ≡ 0(modr).

The following algorithm gives a procedure for constructingpairing-friendly curve with an optimal pairing.

Algorithm 2 Algorithm for finding an elliptic curveInput: A positive integer kOutput: q, r, t, D1. Find a prime number r = Φk(s) in the sequence

R = {Φk(x)|x ∈ Z}.2. Find a prime number q = k0r + s in the arithmetic series

Q = {kr + s|k ∈ Z}.3. Let t = s + 1. Factor integer 4q − t2 = Dy2,where D is a square-free integer.4. Output: q, r, t, D

The key feature of this algorithm is that r = Φk(s) andq is chosen in arithmetic series modulus r such that 4(q +1− t) is divisible by r. The choice of t = s + 1 ensures thatΦk(t − 1) ≡ 0 mod r. By the step 3 of the algorithm, theCM equation is satisfied. For such q, r, t, if D < 1012 thenE can be constructed via the CM method. Notice that in thismethod we can not choose the discriminant D arbitrarily.

B. Optimal pairings defined on the elliptic curves

In this subsection, we introduce some new optimal pairingsexcept the general optimal ate pairing. Let r ∈ R ={Φk(x)|x ∈ Z} be a prime number i.e., there exists an integers such that r = Φk(s) and let

hi(x) = xi − sxi−1, 1 ≤ i ≤ k.

The main result in this paper is the following theorem.Theorem 2: Let r, s and hi(x), 1 ≤ i ≤ k be defined as

above, and s′ be a k-th primitive root of unity modulus r2

and s ≡ s′ mod r. Then1) for 1 ≤ i ≤ k, as′,hi are optimal pairings,2) if q, r, s are resulted from algorithm 2, then the result-

ing curves may have small ρ ≈ 1,3) as′,h1 is the general optimal ate pairing.The main steps in the proof of Theorem 1 are the following

results.

Lemma 2: Let r be a prime number and k be an integersatisfying that k|r − 1. Then the number of solutions in theequation xk ≡ 1 mod r is k. If s′k ≡ 1 mod r2, then s′ canbe written as s′ = x0 + y0r mod r2, where

xk0 ≡ 1 mod r, y0 ≡ (kr)−1(x1−k

0 − x0) mod r.Proof Since r is a prime number, there exists an generatorelement g in Z∗

r , i.e., for any α ∈ Z∗r there is an unique

integer 1 ≤ a ≤ r − 1 such that α ≡ ga mod r. By theassumption of k|r − 1, it is easy to see that

αk ≡ 1 mod r ⇐⇒ r − 1k

|a.

This proves the first part of the lemma.If s′k ≡ 1(modr2), then s′k ≡ 1(modr) holds. Assume

that s′k ≡ 1(modr2), then s′ can be written as s′ ≡ x0 +y0r mod r2, where xk

0 ≡ 1 mod r. Therefore we have

s′k ≡ (x0 + y0r)k mod r2

≡ xk0 + kxk−1

0 y0r mod r2

≡ 1 mod r2,

which completes the proof of the second part of the lemma.Lemma 3: Let r, s be defined as above, and s′ be a k-

th primitive root of unity modulus r2 and s′ ≡ s mod r.Then, for all 1 ≤ i ≤ k, we have hi(s′) ≡ 0 mod r andhi(s′) 6= 0 mod r2.Proof By the assumption of the lemma, it is not difficult tosee that s′ 6= s mod r2. Since s ≡ s′ mod r, and by thedefinition of hi(x), we have

hi(s′) ≡ 0 mod r.

Suppose hi(s′) ≡ 0 mod r2, then we have

s′i ≡ ss′i−1 mod r2.

Since gcd(s′, r) = 1, this gives s′ ≡ s mod r2, whichcontradicts to s′ 6= s mod r2, and the proof is complete.

Lemma 4: [8] Let π(x, r, s) be the number of primenumber n less than x satisfying n ≡ s mod r. Then,

π(x, r, s)− x

ϕ(r) ln x= o(c(x exp(−c1(lnx)c2))),

where c1, c2 are fixed positive numbers.Proof of Theorem 1 By the assumption of Theorem 1 and

from Lemmas 2 and 3, there exists s′ satisfying s ≡ s′ mod rand

hi(s′) ≡ 0 mod r, hi(s′) 6= 0 mod r2, 1 ≤ i ≤ k.

Hence, by fact 1, for all 1 ≤ i ≤ k, as′,hiare non-degenerate

bilinear pairings. From the definition of hi(x), it is easy tosee that as′,hi

can be computed with log2 s basic Milleriterations. Since s = r

1ϕ(k) + o(1), we have that as,hi are

optimal pairings, so 1 of the theorem follows.Since s′ ≡ s mod r and Q ∈ E(Fq)[r], we can obtain

(fs′,h1,Q) = (s′Q)−s(Q)+(s−1)(O) = (sQ)−s(Q)+(s−1)(O),

197

so as′,h1(Q,P ) = fs′,h1,Q(P )qk−1/r is the general atepairing.

From Lemma 4, on average, we can find a prime numberq less than r ln r satisfying step 2 of algorithm 2. Hence

ρ =ln q

ln r≤ ln(r ln r)

ln r≤ 1 +

ln(ln r)ln r

,

which completes the proof of 3 of the theorem.

C. Analysis of the construction methods

In this section, we analyse the efficiency of our construc-tion method.

Step 1 of algorithm 2 is motivated by the fact: if f(x) ∈Z[x], then a famous conjecture of Buniakowski and Schinzel(see [9], p. 323) says that a nonconstant f(x) takes an infinitenumber of prime values if and only if f has positive leadingcoefficient, f is irreducible, and gcd({f(x) : x ∈ Z}) = 1.Cyclotomic polynomial Φk(x) of which the leading coeffi-cient is 1, is irreducible, and Φk(0) = 1, i.e. Φk(x) satisfiesthe conditions of the conjecture. In practice, one can oftenfind a prime number in the sequence R = {Φk(x)|x ∈ Z}.

A prime number q in step 2 of algorithm 2 can be foundefficiently by Lemma 4.

For the efficiency of step 3 of algorithm 2, the followingresult is necessary.

Proposition 1: If D < 1012, then the number of integern has binary length m and has form n = Dy2 is at least2

m2 +20.

Proof Let N denote the number of integers n satisfying theproposition’s condition, then

N =∑

2m≤Dy2≤2m+1−1D≤240

1 =240∑

D=1

∑2m≤Dy2≤2m+1−1

1

=40∑

l=1

2l∑D=2l−1

∑D−12m≤y2≤2m+1D−1

1

≥40∑

l=1

2l∑D=2l−1

2m−l

2 ≥ 2m2 +20.

This completes the proof of the proposition.From proposition 1, if we want to have a m-bit q, step 3 of

algorithm 2 has to be repeated approximately 2m2 −20 times

to find one value for 4q − t2 that factor in the desired form.Bernstein, Lenstre, and Pila [1] provide an algorithm to

determine whether an integer n is square of an integer. Thisalgorithm takes time lg n(lg lg n)o(1). Hence, in step 3 ofalgorithm 2, it is efficient to determine whether 4q − t2 hasthe desired form of Dy2 with D < 1012.

IV. CONCLUSION

In this paper, we consider the optimal pairing which wasintroduced by Vercautern and provide an explicit method toconstruct pairing friendly curves with optimal pairing. Our

algorithm works for arbitrary embedding degree k and largeprime subgroups order r. The resulting curves are definedover prime fields Fq with ρ = log q

log r ≈ 1 and some newoptimal pairings defined on the resulting curves are found.

REFERENCES

[1] J.Bernstein, J. W. Lenstre, and J. Pila, Detecting perfect powers byfactoring into coprimes, Math. Comp, Vol 76, no.257, pp.385-388, 2007.

[2] P. S. L. M. Barreto, S. Galbraith, C. O hEigeartaigh, and M. Scott, Ef-ficient pairing computation on supersingular abelian varieties, Designs,Codes and Cryptography, 42(2007) 239-271.

[3] I. Duursma and H. -S Lee, Tate pairing implementation for hyperellipticcurves y2 = xp − x + d, in Advances in Cryptology–Asiacrypt’2003,LNCS 2894, pp. 111-123.

[4] D. Freeman, M. Scott, E. Teske, A taxonomy of pairing-friendly ellipticcurves, Journal of Cryptology, Vol23(2), 224-280, 2010.

[5] R. Granger, F. Hess, R. Oyono, N. Theriault and F. Vercauteren, AtePairing on Hyperelliptic Curves. In EUROCRYPT 2007, volume 4515of Lecture Notes in Computer Science, pages 430-447. Springer-Verlag,2007.

[6] F. Hess, Pairing Lattices, Pairing 2008, LNCS 5209, 18-38, 2008.[7] F. Hess, N. Smart, and F. Vercauteren, The Eta-pairing revisited. IEEE

Transactions on Information Theory, 52(10):4595-4602, 2006.[8] M.N. Huxley, The distribution of prime numbers, Oxford, 1972.[9] S. Lang, Algebra, revised 3rd edition. Springer, 2002.[10] E. Lee, H.-S. Lee, and C.-M. Park, Efficient and Generalized Pair-

ing Computation on Abelian Varieties. Preprint, 2008. Available fromhttp://eprint.iacr.org/ 2008/040.

[11] R. Lidl, and H. Niederreiter, Finite Fields. Cambridge University Press,1997.

[12] S. Matsuda, N. Kanayama, F. Hess, and E. Okamoto. Optimised ver-sions of the Ate and twisted Ate pairings. In The 11th IMA InternationalConference on Cryptography and Coding, volume 4887 of Lecture Notesin Computer Science, pages 302-312. Springer-Verlag, 2007.

[13] V. S. Miller. The Weil pairing, and its efficient calculation. J. Cryptol-ogy, 17(4):235-261, 2004.

[14] Mingqiang Wang, Puwen Wei, Haifeng Zhang, Yuliang Zheng, Optimalpairing revisited, http://eprint.iacr.org/2009/564.

[15] F. Vercauteren, Optimal Pairings, IEEE Transactions on InformationTheory, Volume 56 (1): 455-461, 2010.

198